Knowing When to Trust

How Can Security Professionals Know When to Trust and When to Hold Their Cards Close?

The Byrds 1965 hit song “Turn! Turn! Turn!” has always been a favorite of mine. The lyrics of the song (which are taken from a well known source) are as follows:

To every thing there is a season, and a time to every purpose under the heaven:

A time to be born, and a time to die; a time to plant, a time to reap that which is planted;

A time to kill, and a time to heal; a time to break down, and a time to build up;

A time to weep, and a time to laugh; a time to mourn, and a time to dance;

A time to cast away stones, and a time to gather stones together;

A time to embrace, and a time to refrain from embracing;

A time to get, and a time to lose; a time to keep, and a time to cast away;

A time to rend, and a time to sew; a time to keep silence, and a time to speak;

A time to love, and a time to hate; a time of war, and a time of peace.

As the song’s lyrics express, there is a time for everything. While there are times when holding your cards close and putting up high walls is necessary, there are certainly times where only trust can open the requisite doors. Yet, at the same time, it can be difficult to know who to trust in a world filled with a wide variety of characters.

So what does this have to do with security? Security professionals know all too well that security is a profession built upon trust. Hiring. Information sharing. Referrals. Advice. Methodologies. Connections. The list of items in the security profession for which trust is the primary facilitator is a long one.

So how can security professionals know when to trust and when to hold their cards close? This is an important question that many security professionals, myself included, struggle with. While I certainly don’t have everything all figured out, I would like to offer 10 points to consider when evaluating whether or not to trust:

1. Give and take: Security, like life, is a give and take. Those who receive are usually quite happy to give back. Unfortunately, not everyone is like that. If you only hear from someone when they need something, if they are always looking for that next piece of information or that next favor, and if they never give back, chances are that you can’t really trust them.

2. Everyone loves free advice: During my consulting days, I learned the hard way just how much people love free advice. Unfortunately, there are more than a few people that will promise you the world in exchange for your insight. But if they disappear at the slightest mention of money, more than likely, they can’t be trusted.

3. Not the stock market: Trusting someone inherently involves some risk. While a calculated risk or educated guess can pay dividends, trusting someone who shouldn’t be trusted can come at a high price. If by trusting someone you feel like you’re betting on the horses or playing the stock market, it’s probably best to hold your cards close in that particular situation.

4. Trust me: Sometimes, people feel a need to remind you repeatedly that you can trust them. In my experience, this is a red flag. Truly trustworthy people’s reputations speak for themselves. Trustworthy people don’t need to fast talk the next person whose good nature they’re looking to exploit.

5. Don’t worry: In a similar vein, people who feel a need to reassure you continually that you needn’t worry are most often cause for worry. If something sounds too good to be true, or if something sounds a bit far-fetched, it usually is.

6. Very interesting idea: For some people, being straightforward and direct is a challenge. Saying “no” is a definitive answer that can have undesired consequences for an untrustworthy person. If this type of person is looking to leave a potential door open, if they are looking to lead someone along, or if they are looking to stall, saying things like “that’s a very interesting idea” is a great way to keep the status quo of ambiguity and indecision going indefinitely.

7. Inconsistency: We’ve all spoken to people whose story keeps changing, those who give different answers in different settings, or those who can’t seem to give a straight answer. If you notice these behaviors, chances are that the person who exhibits them cannot be trusted.

8. Lack of transparency: People who have nothing to hide are often quite happy to be open, honest, straightforward, and transparent. When people are less than transparent, it may be a sign that they are hiding something, keeping something from you, or are otherwise less than trustworthy.

9. Paranoia or anxiety: Do you get a feeling of paranoia or anxiousness from someone? Besides being difficult to work in that type of an environment, it can be a sign that for one reason or another, the person is untrustworthy.

10. Projection: If someone is telling you that you are untrustworthy, that they don’t want to work with you, that they are unsure of your intentions, or similar such statements, it could be a sign of projection. People who are untrustworthy often project that character trait onto people who are trustworthy. If you see this happening, it’s likely a sign that the person you are working with is not trustworthy.

Knowing who to trust is a judgment call. While it is never an easy decision to make, there are a number of data points that can help security professionals evaluate whether or not trusting someone is an acceptable risk to take. In the end, only time will tell if the decision was a sound one or not. But understanding how to evaluate the trustworthiness of an individual up front can save a lot of pain down the line.

Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.